lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030122161804.00f6ef9c.gcuesta@netimedias.com>
From: gcuesta at netimedias.com (Gilles Cuesta)
Subject: Path Parsing Errata in Apache HTTP Server

On Wed, 22 Jan 2003 09:00:58 -0500
"mattmurphy@...rr.com" <mattmurphy@...rr.com> wrote:

> Issue 3 (VU#384033):
> 
> Exploitation of this condition could lead to bypass of default script 
> mapping behavior.  This flaw impacts Apache on all platforms.  This 
> issue is best described with an example:
> 
> http://localhost/folder.php/file
> 
> Apache should parse 'file' as plain text -- that is, simply returning
> it to the browser.  However, an incorrect check in Apache's mapping 
> algorithms, causes the 'php' extension to be associated with this 
> request.  Rather than checking only the file's extension, Apache
> checks for extensions in any path member, stopping at the first.
> 
> This is more of a weakness than a vulnerability, as exploitation only 
> yields UID nobody if you allow uploading under the docroot *and*
> filter by filename only, in which case you have far more serious
> concerns than the exploitation of this issue.
> 
> DETECTION
> 
> These issues are believed to be specific to the 2.0 branch; Apache 
> 1.3.27 (and all other 1.x versions) are believed immune from these 
> issues.  Apache 2.0.43 and prior should be upgraded to the 2.0.44 
> release, which will be available from 
> <http://httpd.apache.org/dist/httpd>.

This issue doesn't run on a RH 8.O httpd server:

# cat /etc/issue
Red Hat Linux release 8.0 (Psyche)
Kernel \r on an \m

# rpm -qa | grep httpd
httpd-2.0.40-11
# rpm -qa | grep php
php-mysql-4.2.2-8.0.5
php-4.2.2-8.0.5

# lynx -source http://localhost/folder.php/text
<?php
phpinfo();
?>

# lynx -source http://localhost/folder.php/text.php
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head><style type="text/css"><!--
a { text-decoration: none; }
...
...
...
<p>If you did not receive a copy of the PHP license, or have any
questions about PHP licensing, please contact license@....net.</p>
</td></tr>
</table><br />
</body></html>

-- 
Gilles Cuesta
Netimedias - http://www.netimedias.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ